Hi Tampabelle,
XP machine is already disconnected from the internet.
I removed SpyBot S&D a while back, so it isn't running.
Scanned with Hijack This, checked items:
ok R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
ok R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
ok R3 - Default URLSearchHook is missing
ok O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\hklrun.exe reg_run
ok O4 - HKCU\..\Run: [J0q2Rkjng] mshplwiz.exe
ok O4 - HKCU\..\Run: [sf] C:\Program Files\sf\sf.exe
ok O4 - HKCU\..\Run: [sfita] C:\WINDOWS\sfita.exe
ok O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
ok O4 - HKCU\..\Run: [SMSSU] C:\WINDOWS\System32\SMSSU.EXE
ok O4 - HKCU\..\Run: [Tmntsrv32] C:\WINDOWS\System32\Tmntsrv32.EXE
ok O4 - Global Startup: RDUN.EXE
ok O15 - Trusted Zone: *.sxload.com
???why is it showing TeaTImer? The \Program Files\Spybot - Search & Destroy folder just has a subfolder in it, no files.???
Closed windows other than Hijack This. Clicked on Fix checked.
Tried to reboot the PC in Safe Mode. On the first try, I had left a floppy in A: (not bootable), and I had to press a key. So even though I had pressed F8 several times, it booted to the regular login. I restarted to Safe and logged in Administrator.
Went to Control Panel / Add or Remove Programs
Not found:
WhenUSearch / WhenUSearch Desktop Toolbar / Desktop Toolbar [WhenUSearch]
FYI List of possibly suspicious stuff on the Add/Remove list (I didn't touch them, just letting you know):
Casino Tropez 62.59MB
Content Delivery Module 1.62MB
Display Utility (no size)
Google Toolbar for Internet Explorer (0.28MB)
Internet Update (no size)
PartyPoker 9.31MB
Personal Money Tree 0.41MB
Quick Links 0.02MB
Search Fast Communicator 1.0
OK, to continue...
Open Windows Explorer (right click on Start and then click on explore). Locate and delete the following folders and files -
C:\Program Files\sf - not seen by explore
C:\Program Files\Cas - not seen by explore, there is a "CasStub" I didn't disturb it.
C:\WINDOWS\sfita.exe - not seen by explore
C:\WINDOWS\System32\hklrun.exe - present but not deletable - "in use"
C:\WINDOWS\System32\SMSSU.EXE - not seen by explore, there is a "SMSS.EXE" I didn't disturb it.
C:\WINDOWS\System32\Tmntsrv32.EXE - not seen by explore
mshplwiz.exe - not in C:\WINDOWS\System32
RDUN.EXE - not in C:\WINDOWS\System32, per CMD DIR there are copies in \HJT (that I put there) and \BU050627\Documents and Settings\All Users\Start Menu\Programs\Startup - I didn't disturb them.
Where did you want me to look for them?
Clear out the files in the Prefetch folder. Done, 55 items.
Rebooted Normal / login Tina.
Installed SpyBot S&D & loaded definition files. (Did not install realtime protection.)
Scan showed:
CoolWWWSearch/IE start page
Delfin Project/Settings
DyFuCA/Settings
Pacimedia/Settings
I asked it to fix all, it said 4 problems fixed. Restarted normally/Tina
Ran Hijack This, here's the log:
Logfile of HijackThis v1.99.1
Scan saved at 5:34:44 PM, on 7/5/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\mHotkey.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\aim\aim.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.emachines.comO4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\aim\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: AOL Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
KGHN